Black Kingdom

Microsoft Exchange servers targeted by second ransomware group

In the midst of a patching frenzy, Microsoft Exchange email servers are under attack from a new ransomware gang.

Going by the name of Black Kingdom, this ransomware gang was first spotted last year in June, when they used vulnerabilities in Pulse Secure VPN products to breach corporate networks and install their file-encrypting payload.

But with the disclosure of the ProxyLogon vulnerabilities impacting Exchange email servers, the Black Kingdom group appears to have also switched operations over the weekend when they began using publicly-available proof-of-concept exploit code to take over Exchange servers.

The initial attacks were spotted by Marcus Hutchins, a security researcher for US security firm Kryptos Logic, and they failed to do any damage to victims.

In a tweet on Sunday, Hutchins said the attackers were accessing Exchange servers and leaving a ransom note behind, claiming they encrypted files and demanding a ransom payment of $10,000 for the decryption key. But Hutchins said that Black Kingdom was failing to encrypt data, leaving server files intact.

The Black Kingdom gang appears to have realized its mistake yesterday, on Monday. According to security firms Arete IR, Sophos, and Speartip, attacks changed at the start of the week, and the group is now also encrypting files, giving their attacks a more dangerous edge, especially since they're happening indiscriminately and at scale.

The new and properly working file encryption process was also confirmed today by Kevin Beaumont, a threat intelligence analyst for Microsoft's cybersecurity team.

The number of impacted victims is currently unclear, as it's impossible to track all servers impacted by the Black Kingdom group. However, a source told The Record today that at least one major company has been impacted, a company that provides services to the automotive industry, which is currently in the process of dealing with the attack.

All in all, Black Kingdom becomes the second ransomware group that abuses the ProxyLogon vulnerabilities to gain a foothold on corporate servers and launch file-encryption operations. The first one was a ransomware strain that security researchers are tracking under the name of DearCry, first spotted last week.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.